1*** Settings ***
2Documentation    Test Redfish service root login security.
3
4Resource         ../../lib/bmc_redfish_resource.robot
5Resource         ../../lib/openbmc_ffdc.robot
6
7Test Teardown    FFDC On Test Case Fail
8Test Setup       Printn
9
10*** Variables ***
11
12${LOGIN_SESSION_COUNT}   ${50}
13
14&{header_requirements}  Strict-Transport-Security=max-age=31536000; includeSubdomains; preload
15...                     X-Frame-Options=DENY
16...                     Pragma=no-cache
17...                     Cache-Control=no-Store,no-Cache
18...                     Content-Security-Policy=default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'
19...                     X-XSS-Protection=1; mode=block
20...                     X-Content-Type-Options=nosniff
21
22*** Test Cases ***
23
24Redfish Login With Invalid Credentials
25    [Documentation]  Login to BMC web using invalid credential.
26    [Tags]  Redfish_Login_With_Invalid_Credentials
27    [Template]  Login And Verify Redfish Response
28
29    # Username                Password               Expect status
30    ${OPENBMC_USERNAME}       deadpassword           InvalidCredentialsError
31    groot                     ${OPENBMC_PASSWORD}    InvalidCredentialsError
32    ${EMPTY}                  ${OPENBMC_PASSWORD}    SessionCreationError
33    ${OPENBMC_USERNAME}       ${EMPTY}               SessionCreationError
34    ${EMPTY}                  ${EMPTY}               SessionCreationError
35
36
37Redfish Login Using Unsecured HTTP
38    [Documentation]  Login to BMC web through http unsecured.
39    [Tags]  Redfish_Login_Using_Unsecured_HTTP
40
41    Create Session  openbmc  http://${OPENBMC_HOST}
42    ${data}=  Create Dictionary
43    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
44
45    ${headers}=  Create Dictionary  Content-Type=application/json
46
47    Run Keyword And Expect Error  *Connection refused*
48    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
49    ...  data=${data}  headers=${headers}
50
51
52Redfish Login Using HTTPS Wrong Port 80 Protocol
53    [Documentation]  Login to BMC web through wrong protocol port 80.
54    [Tags]  Redfish_Login_Using_HTTPS_Wrong_Port_80_Protocol
55
56    Create Session  openbmc  https://${OPENBMC_HOST}:80
57    ${data}=  Create Dictionary
58    ...  UserName=${OPENBMC_USERNAME}  Password=${OPENBMC_PASSWORD}
59
60    ${headers}=  Create Dictionary  Content-Type=application/json
61
62    Run Keyword And Expect Error  *Connection refused*
63    ...  POST On Session  openbmc  /redfish/v1/SessionService/Sessions
64    ...  data=${data}  headers=${headers}
65
66
67Create Multiple Login Sessions And Verify
68    [Documentation]  Create 50 login instances and verify.
69    [Tags]  Create_Multiple_Login_Sessions_And_Verify
70    [Teardown]  Run Keyword And Ignore Error  Multiple Session Cleanup
71
72    Redfish.Login
73    # Example:
74    #    {
75    #      'key': 'L0XEsZAXpNdF147jJaOD',
76    #      'location': '/redfish/v1/SessionService/Sessions/qWn2JOJSOs'
77    #    }
78    ${saved_session_info}=  Get Redfish Session Info
79
80    # Sessions book keeping for cleanup once done.
81    ${session_list}=  Create List
82    Set Test Variable  ${session_list}
83
84    Repeat Keyword  ${LOGIN_SESSION_COUNT} times  Create New Login Session
85
86    # Update the redfish session object with the first login key and location
87    # and verify if it is still working.
88    Redfish.Set Session Key  ${saved_session_info["key"]}
89    Redfish.Set Session Location  ${saved_session_info["location"]}
90    Redfish.Get  ${saved_session_info["location"]}
91
92
93Attempt Login With Expired Session
94    [Documentation]  Authenticate to redfish, then log out and attempt to
95    ...   use the session.
96    [Tags]  Attempt_Login_With_Expired_Session
97
98    Redfish.Login
99    ${saved_session_info}=  Get Redfish Session Info
100    Redfish.Logout
101
102    # Attempt login with expired session.
103    # By default 60 minutes of inactivity closes the session.
104    Redfish.Set Session Key  ${saved_session_info["key"]}
105    Redfish.Set Session Location  ${saved_session_info["location"]}
106
107    Redfish.Get  ${saved_session_info["location"]}  valid_status_codes=[${HTTP_UNAUTHORIZED}]
108
109
110Login And Verify HTTP Response Header
111    [Documentation]  Login and verify redfish HTTP response header.
112    [Tags]  Login_And_Verify_HTTP_Response_Header
113
114    # Example of HTTP redfish response header.
115    # Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
116    # X-Frame-Options: DENY
117    # Pragma: no-cache
118    # Cache-Control: no-Store,no-Cache
119    # Content-Security-Policy: default-src 'self'; img-src 'self' data:
120    # X-XSS-Protection: 1; mode=block
121    # X-Content-Type-Options: nosniff
122
123    Rprint Vars  header_requirements  fmt=1
124
125    Redfish.Login
126    ${resp}=  Redfish.Get  /redfish/v1/SessionService/Sessions
127
128    # The getheaders() method returns the headers as a list of tuples:
129    # headers:
130    #    [Strict-Transport-Security]:        max-age=31536000; includeSubdomains; preload
131    #    [X-Frame-Options]:                  DENY
132    #    [Pragma]:                           no-cache
133    #    [Cache-Control]:                    no-Store,no-Cache
134    #    [Content-Security-Policy]:          default-src 'self'; img-src 'self' data:
135    #    [X-XSS-Protection]:                 1; mode=block
136    #    [X-Content-Type-Options]:           nosniff
137    #    [X-UA-Compatible]:                  IE=11
138    #    [Content-Type]:                     application/json
139    #    [Server]:                           iBMC
140    #    [Date]:                             Tue, 16 Apr 2019 17:49:46 GMT
141    #    [Content-Length]:                   2177
142
143    ${headers}=  Key Value List To Dict  ${resp.getheaders()}
144    Rprint Vars  headers  fmt=1
145
146    Dictionary Should Contain Sub Dictionary   ${headers}  ${header_requirements}
147
148
149*** Keywords ***
150
151Login And Verify Redfish Response
152    [Documentation]  Login and verify redfish response.
153    [Arguments]   ${username}  ${password}  ${expected_response}
154
155    # Description of arguments:
156    # expected_response    Expected REST status.
157    # username             The username to be used to connect to the server.
158    # password             The password to be used to connect to the server.
159
160    # The redfish object may preserve a valid username or password from the
161    # last failed login attempt.  If we then try to login with a null username
162    # or password value, the redfish object may prefer the preserved value.
163    # Since we're testing bad path, we wish to avoid this scenario so we will
164    # clear these values.
165
166    Redfish.Set Username  ${EMPTY}
167    Redfish.Set Password  ${EMPTY}
168
169    ${msg}=  Run Keyword And Expect Error  *  Redfish.Login  ${username}  ${password}
170
171    # redfish package version <=3.1.6 default response is InvalidCredentialsError.
172    Should Contain Any   ${msg}  InvalidCredentialsError  ${expected_response}
173
174
175Create New Login Session
176    [Documentation]  Multiple login session keys.
177
178    Redfish.Login
179    ${session_info}=  Get Redfish Session Info
180
181    # Append the session location to the list.
182    # ['/redfish/v1/SessionService/Sessions/uDzihgDecs',
183    #  '/redfish/v1/SessionService/Sessions/PaHF5brPPd']
184    Append To List  ${session_list}  ${session_info["location"]}
185
186
187Multiple Session Cleanup
188    [Documentation]  Do the teardown for multiple sessions.
189
190    FFDC On Test Case Fail
191
192    FOR  ${item}  IN  @{session_list}
193      Redfish.Delete  ${item}
194    END
195